Intermittent NXDOMAIN for a name we are forwarding

blrmaani blrmaani at gmail.com
Mon Feb 29 05:25:09 UTC 2016 

On Sunday, February 21, 2016 at 8:46:19 PM UTC-8, Mark Andrews wrote:
> In message <2f868c2b-d04b-4caf-abd7-8176352ccfa5 at googlegroups.com>, blrmaani wr
> ites:
> > On Friday, February 19, 2016 at 5:09:02 PM UTC-8, blrmaani wrote:
> > > We have a DNS setup where we forward a name in one domain to 5 external nam
> > eservers. We see NXDOMAIN error intermittently (once in couple of weeks). How
> >  do I debug this issue?
> > > 
> > > I took a cache dump on our DNS and 2 out of 5 nameserver IPs appear in "Una
> > ssociated entries" when the problem happens.
> > > 
> > > Any advice to troubleshoot this issue is greatly appreciated.
> > > 
> > > Thanks
> > > Blr
> > 
> > the cache dump also has this entry (myname.mydomain.com is name I am interest
> > ed in)
> > 
> > myname.mydomain.com  10324   \-ANY   ;-$NXDOMAIN
> > 
> > Which probably means if anyone requests for myname.mydomain.com, they will be
> >  handed NXDOMAIN for upto 10324 seconds from now..
> 
> Correct.
>  
> > Our current work around is to restart named (which cache) or we could do a 'r
> > ndc flush'. 
> > 
> > Question: Is there a BIND option to say 'Don't cache myname.mydomain.com for 
> > NXDOMAIN error code?'
> 
> No.  Fix the source of the NXDOMAIN.  Ask all the external nameservers
> for "myname.mydomain.com type666" and see what they respond with.  If
> it is NXDOMAIN then you have the source(s) if the NXDOMAIN.
> 
> e.g.
> 	dig @server myname.mydomain.com type666
> 
> This is a case of Garbage In (NXDOMAIN) - Garbage Out (NXDOMAIN).
>  
> > Alternatively, I can have a local query for this and flush cache if error cod
> > e is NXDOMAIN, but is hacky.. I would like a config option
> > 
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> >  from this list
> > 
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

Thanks a lot for the responses ..

I ran dig several times in a loop querying for the name with type=type666 and see only SERVFAIL. The NXDOMAIN occurs approx once in 2 weeks (per incident report). I guess I have to run several iterations of queries to see NXDOMAIN..


I see this in the cache dump:
...
...
; authauthority
myname.mydomain.com  10324   \-ANY   ;-$NXDOMAIN
<SOA line for the above domain here>
...
...

More information about the bind-users mailing list